Item7558: Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins

My name is Netanel Rubin, I work as a vulnerability researcher at Check Point Software Technologies.

This is a critical vulnerability report for an issue I discovered in the TWiki platform. The successful exploitation of the vulnerability allows an attacker to execute Perl code unauthenticated. The vulnerability has been discovered in a fully patched TWiki (ver 6.0.0).

We would like to report the complete vulnerability description over a private channel. Please contact us at netanelr@checkpointNOSPAM.com and shahartal@checkpointNOSPAM.com (my team leader).
If possible, we would also like to coordinate the public disclosure with you.

Best regards,
Netanel.

-- TWiki:Main/NetanelRubin - 2014-09-30

Mail sent. Thanks!

Our security process is documented at TWiki:Codev.TWikiSecurityAlertProcess.

-- TWiki:Main.PeterThoeny - 2014-09-30

Thank you Netanel, we received the alert and will follow our documented process.

• The plugin handler issue will be tracked here
• The file upload issue is tracked at Item7560

-- TWiki:Main.PeterThoeny - 2014-10-01

Now fixed in SVN trunk and 6.0 branch

Patch:

--- TWiki/Plugins.pm.save1   2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm   2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
 
     unless( $allDisabled ) {
         if ( $query && defined( $query->param( 'debugenableplugins' ))) {
-            @pluginList = split( /[,\s]+/,
-                                 $query->param( 'debugenableplugins' ));
+            @pluginList =
+              grep { /Plugin$/ }
+              map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+              split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
         } else {
             if( $TWiki::cfg{PluginsOrder} ) {
                 foreach my $plugin( split( /[,\s]+/,

-- TWiki:Main.PeterThoeny - 2014-10-02